08-20-2012 04:48 AM
I need to configure Site-to-Site VPN (PSK) between two offices. Both offices have ASA 5505 firewall. Office 2 ASA is going to be behind NAT router (ISP) and it's not possible to turn NAT off. There is still a static IP address. Office 1 has a static public IP address and this IP is directly configured to ASA.
Can someone help me a bit. I'm very unfamiliar with ASA. From my understanding the NAT won't be a problem when the VPN connection is started from the device that sits behind the NAT router?
08-20-2012 05:24 AM
You are right, if the ASA behind the NAT initiates the VPN, then the NAT-device doesn't need any forwarding configured. The ASA just needs to be able to connect to the internet. On both ASAs NAT-Traversal needs to be enabled, but thats the default.
You can use the VPN-Wizard in ASDM to configure the VPN. On the ASA with the public IP (wothout NAT) just use the other sides public IP of the NAT-device as the peer adress. With that the VPN should work.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-20-2012 05:32 AM
Thank you karsten! That was helpful. I don't like wizards so I will try to configure VPN manually with CLI.
08-20-2012 05:38 AM
CLI is even better! Take a look at the following example and the L2L-section in the config-guide:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
v8.2: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/site2sit.html
v8.4: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: